On 12/18/2015 12:18 PM, Ben Greenfield wrote: > >> On Dec 18, 2015, at 12:35 PM, Noel Jones <[email protected]> wrote: >> - consider using >> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch >> to reject messages where the MAIL FROM address doesn't match the >> SASL username. This won't prevent the user/spammer from using a >> different From: display header name, but does make debugging easier. >> This would have stopped this attack, or (more likely?) made the >> attacker change tactics. > > I would consider this option but it seems if you have any virtual domains one > also has to prepare a mapping file between virtual domain addresses and > actual addresses.
Regardless of virtual domains or not, one of the requirements for this is you must maintain a list of MAIL FROM addresses and the matching SASL username owner(s). Depending on your environment this can range from a no-brainer to an administrative nightmare. You get to decide if the effort for your environment is worth it. http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps > >> - consider using a dnsbl that rejects known spamming IPs before >> permit_sasl_authenticated, such as sbl.spamhaus.org or >> cbl.abuseat.org. Careful with this one; it's impolite to reject >> real users' email and it's very possible a real user will get >> infected and listed, generating a support call to you. In >> particular, do not use a dnsbl that lists all home/dynamic/dialup IP >> addresses. The IP you reported is listed in both cbl and sbl and >> would be rejected (listed now, maybe it wasn't then). >> > > We have people that travel in europe all the time. If they tried to use an > internet cafe for access they would be blocked by placing the blacklist in > front of the permit_sasl_authenticated if the cafe ip was on the blacklist. > That is what I would need to watch-out for? Not all public wifi hotspots will be blacklisted, but certainly some are. It depends on if there has been a bad actor on that IP recently. Don't use a dnsbl for submission that blocks sites "just because" they're a wifi access point. If you're a business, and commonly have employees traveling and using open wifi, providing them a VPN might be a good idea to solve this and other potential problems. At any rate, using a pre-AUTH dnsbl would be a "strict" policy and probably not worth the potential headaches unless you have more incidents. -- Noel Jones
